We have a site that is experiencing SIP Protocol Violation errors from the Zone-Based Firewall Policy configuration. Here is a little bit of info about the site design and some logs desplaying this particular error:
-remote site connected to central site via a vpn tunnel
-both routers(1841 & 2801) have a basic ZBFW config that is specifying SIP traffic as being permissible from one site to the other
-phones are Grandstream and SIP server is a Trixbox(we use CME and Cisco IP Phones for all of our builds; these two sites are for a small company that made a purely cost-driven decision about equipment)
-SIP server is 192.168.14.10 at central site
-Grandstream phones are 172.20.14.0/24 at remote site
The following are logged sessions from the router at the remote site(where phones are attempting to establish communication across vpn tunnel with SIP server):
1)phone to server SIP traffic
a)Aug 4 11:16:19 188.8.131.52 67: NSA_remote: 000063: Aug 4 15:16:19.055 UTC: %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(InsideToCentral:outbound_sip_class):Start sip session: initiator (172.20.14.30:5060) -- responder (192.168.14.10:5060)
b)Aug 4 11:16:19 184.108.40.206 68: NSA_remote: 000064: Aug 4 15:16:19.135 UTC: %AIC-4-SIP_PROTOCOL_VIOLATION: SIP protocol violation (Forbidden header field found) - dropping udp session 192.168.14.10:5060 172.20.14.30:5060 on zone-pair InsideToCentral class outbound_sip_class
c)Aug 4 11:16:19 220.127.116.11 69: NSA_remote: 000065: Aug 4 15:16:19.135 UTC: %FW-6-SESS_AUDIT_TRAIL: (target:class)-(InsideToCentral:outbound_sip_class):Stop sip session: initiator (172.20.14.30:5060) sent 585 bytes -- responder (192.168.14.10:5060) sent 0 bytes
2)server to phone SIP traffic:
a)Aug 4 11:16:19 18.104.22.168 70: NSA_remote: 000066: Aug 4 15:16:19.139 UTC: %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(CentralToInside:inbound_sip_class):Start sip session: initiator (192.168.14.10:5060) -- responder (172.20.14.30:5060)
b)Aug 4 11:16:19 22.214.171.124 71: NSA_remote: 000067: Aug 4 15:16:19.143 UTC: %AIC-4-SIP_PROTOCOL_VIOLATION: SIP protocol violation (Invalid Dialog) - dropping udp session 192.168.14.10:5060 172.20.14.30:5060 on zone-pair CentralToInside class inbound_sip_class
c)Aug 4 11:16:20 126.96.36.199 72: NSA_remote: 000068: Aug 4 15:16:19.143 UTC: %FW-6-SESS_AUDIT_TRAIL: (target:class)-(CentralToInside:inbound_sip_class):Stop sip session: initiator (192.168.14.10:5060) sent 0 bytes -- responder (172.20.14.30:5060) sent 0 bytes
For each attempt, outbound sip traffic(from phone to server) flags the "Forbidden header field found" violation. And inbound sip traffic(server to phone) flags the "Invalid Dialog" traffic.
I have posted this over in the IP Telephony section of Netpro as well.
Any help would be greatly appreciated. Thanks for your time.
In the pcap, i see all REGISTER messages. I dont see 100 Trying messages. i believe the pcap was captured when firewall is in place which dropped the non-RFC compliant 100 Trying messages. From the debugs i infer that, the 100 Trying message had "CONTACT" and "REPLY-TO" headers which as per RFC 3261 should not be present. You need to check your SIP gateway why is that sending non-RFC 100 messages. On IOS Firewall, you can skip this strict RFC-3261 check by having the follwoing config.
Class-map type inspect sip class-sip
Policy-map type inspect sip policy-sip
Class type inspect sip class-sip
class-map type inspect match-any cmap
match protocol sip
policy-map type inspect pmap
class type inspect cmap
service-policy sip policy-sip
Hope this helps.